The phrase “exceeds authorized” in the CFAA is limited to access restrictions, and does not extend to use restrictions.

Opinion (Kozinski): David Nosal worked for an executive search firm called Korn/Ferry. After leaving Korn/Ferry, he recruited some of his associates still working at Korn/Ferry to help him start a competing business. These employees accessed Korn/Ferry’s source lists, names, and contact information from a confidential database. They then transferred the information to Nosal. Nosal was indicted for violations of the Computer Fraud and Abuse Act (CFAA) under 18 U.S.C. § 1030(a)(4) for “aiding and abetting the Korn/Ferry employees in ‘exceed[ing their] authorized access’ with intent to defraud,” and for trade secret theft, among other charges. The district court dismissed most of the counts for failure to state an offense, which the United States then appealed. The Court of Appeals found the CFAA to be concerned with preventing hacking, and not with the misappropriation of trade secrets. Under the Appellate Court’s statutory analysis, the phrase “exceeds authorized access” was to be interpreted narrowly, and should be limited to violations of “access” to information, not the “use” of information. Here, the employees of Korn/Ferry only accessed information they were authorized to access and therefore were not in violation of the CFAA. The district court’s ruling was AFFIRMED.